Re: Snort IDS Frontends

[Timothy Wright <twright () ND EDU>]

At Notre Dame, last year we undertook a thorough examination of what were
some of the top commercial brands in the NIDS business.  In the end, we
found that the best fit was Snort/MySQL/ACID/SnortCenter.  After having our
IDS in production for a short while, I can report that sizing the various
system components correctly should yield smooth results.  In our case, to
fit our environment (and allow for future growth) we used the following:

1 four processor Xeon with about 300 gigs of hard drive (spread over RAID 1
and RAID 5 arrays) , 4 gigs of RAM
8 dual processor Xeon machines with 1.5 gigs of RAM and nominal hard drive
space

You might have guessed that the first of these items is our Snort/ACID
database, while the second consists of the Snort sensors.  All machines run
Red Hat 8 and Snort 2.0.  SnortCenter, although a little rough around the
edges in terms of its interface, has proven quite effective in allowing us
to manage all eight sensors in a centralized fashion.  This system was able
to handle 2 million events in a single day - however, ACID became a
bottleneck with so much data on which to report during its page displays
(i.e., the home page, with all of its global statistics, took a good two or
three minutes to appear!).

The fix was two-fold:  tune the signatures to avoid white noise, and stop
listening to peer-to-peer traffic.  Of course, as with other universities,
we do care about P2P; there's just no need to log P2P in our IDS database
(all we care about are IP addresses and quantities).  So far, we've
effectively dealt with P2P by using IPTraf (running as a daemon on one of
our eight sensors) to do a simple odometer count of all P2P traffic flowing
past.  An alert on these data is sent out automatically a few times each
day.

I should point out that I had to fix a couple of minor issues in ACID
(emailing alert group data was broken, and the graphing function had no way
to adjust the margins between the axes and their labels), as well as add a
module to automate archiving (who wants to archive IDS data by hand??!), and
automate sending out alerts if something on a watch list shows up in the
database.  All of my tweaks can be found in my web space:
http://www.nd.edu/~twright/snortACID/ (soon, I'll have the script I'm using
for IPTraf out there as well).

I would have to say that I'm pleased with the results (and cost savings!!).
Although the hardware we obtained for our NIDS wasn't cheap, we still spent
far, far less than an equivalent commercial solution.

-Tim

--

Timothy Wright, CISSP
Information Security
Office of Information Technology
University of Notre Dame

(574) 631-5863
----- Original Message -----
From: "Crawford, Charles D" <ccrawf () KU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, July 10, 2003 5:20 PM
Subject: [SECURITY] Snort IDS Frontends


> Hello List,
>
> I know this has been a hot item on many listservs lately but I am
interested
> to hear what other Institutions are using for front ends on Snort.
>
> We have tried ACID, PureSecure, Applied Watch.  All have there pro's and
> cons.
>
> ACID would be great if it weren't so slow. (Free is appealling, but
doesn't
> seem scalable, we had over a 500,000 records in our database and it took
> over 2 minutes a wack on the mouse to get anything back)
>
> PureSecure looks good --- budgets/state/money/hmmm might be a tough one to
> sell.
>
> Applied Watch --- Not sure How i felt about it...Pretty expensive
>
>
>
> Any feedback would be excellent.
>
> thanks
>
>
>
> Charles Crawford
> IT Security Officer
> University of Kansas
> (785)864-0491
> ccrawf () ku edu
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.
>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.